Issue 2: California IoT security law, GoDaddy & AWS vulnerabilities

Issue 2: California IoT security law, GoDaddy & AWS vulnerabilities

Vulnerabilities

GoDaddy 2-step authentication API found to be vulnerable. The API lacks rate limiting and does not impose timeouts after failed second factor attempts. This opens doors for brute force attacks on the second factor.

AWS Honeytokens designed by Amazon to help security specialist attract attackers and detect attacks turned out to actually be discoverable. The vulnerability is a combination of two factors. Certain failed AWS queries produce verbose error messages that include Amazon Resource Name and thus information that this is a honeytoken. To make things worse, not all AWS services are covered with CloudTrail logging and thus hackers can use the intentional error queries against these services to check whether what they found is a honeytoken and do so without being detected.

Legal / Compliance

State of California Senate and Assembly passed new legislation on IoT security and APIs exposed by smart devices. The law requires devices to have authentication and features to protect the device and any information contained on it from unauthorized access, destruction, use, modification, or disclosure. It takes effect on January 1, 2020.

Jason Macy from Forum Systemsargues APIs need to be secure by design by including:

Centralized identity management,

Real-time monitoring & security enforcement,

Seamless cloud integration.

Shahid Mansuriwrites about API Security in Internet of Things (IoT): “API security will be critical for defending the integrity of data transiting between IoT devices and backend software infra to make sure that only sanctioned devices, certified developers, and trustworthy apps are collaborating with APIs as well as spotting possible threats and attacks against particular APIs.”